X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=pimd%2Fmtracebis.c;h=c0d95aeed9e3799542ee7097f3d982b899a8e98e;hb=8669b45833da9bb1fc18bbcf3f1ac156da170dfa;hp=731fdb1beb5c5e71f9d382820e30439549a41c0d;hpb=18e994a0437cfba9f4c09bd62293e13e49ea774b;p=mirror_frr.git

diff --git a/pimd/mtracebis.c b/pimd/mtracebis.c
index 731fdb1be..c0d95aeed 100644
--- a/pimd/mtracebis.c
+++ b/pimd/mtracebis.c
@@ -266,6 +266,8 @@ static int recv_response(int fd, int *hops, struct igmp_mtrace *mtracer)
 	int mtrace_len;
 	int responses;
 	unsigned short sum;
+	size_t mtrace_off;
+	size_t ip_len;
 
 	recvd = recvfrom(fd, mtrace_buf, IP_AND_MTRACE_BUF_LEN, 0, NULL, 0);
 
@@ -292,17 +294,20 @@ static int recv_response(int fd, int *hops, struct igmp_mtrace *mtracer)
 	if (sum != in_cksum(ip, ip->ip_hl * 4))
 		return -1;
 
-	mtrace = (struct igmp_mtrace *)(mtrace_buf + (4 * ip->ip_hl));
-
-	mtrace_len = ntohs(ip->ip_len) - ip->ip_hl * 4;
-
-	if ((char *)mtrace + mtrace_len
-	    > (char *)mtrace_buf + IP_AND_MTRACE_BUF_LEN)
+	/* Header overflow check */
+	mtrace_off = 4 * ip->ip_hl;
+	if (mtrace_off > MTRACE_BUF_LEN)
 		return -1;
 
-	if (mtrace_len < (int)MTRACE_HDR_SIZE)
+	/* Underflow/overflow check */
+	ip_len = ntohs(ip->ip_len);
+	if (ip_len < mtrace_off || ip_len < MTRACE_HDR_SIZE
+	    || ip_len > MTRACE_BUF_LEN)
 		return -1;
 
+	mtrace_len = ip_len - mtrace_off;
+	mtrace = (struct igmp_mtrace *)(mtrace_buf + mtrace_off);
+
 	sum = mtrace->checksum;
 	mtrace->checksum = 0;
 	if (sum != in_cksum(mtrace, mtrace_len)) {
@@ -336,7 +341,7 @@ static int wait_for_response(int fd, int *hops, struct igmp_mtrace *mtrace,
 {
 	fd_set readfds;
 	struct timeval timeout;
-	int ret = -1;
+	int ret;
 	long msec, rmsec, tmsec;
 
 	FD_ZERO(&readfds);